如何允许 protocol-41 (6in4) 通过 GCE 防火墙?
How to allow protocol-41 (6in4) through the GCE firewall?
作为权宜之计,直到 Google 支持 native IPv6 on Google Compute Engine, I'd like to configure a 6in4 (IP protocol 41) tunnel。
我添加了防火墙规则以允许 VM 网络上的协议 41:
Name Source tag / IP range Allowed protocols / ports Target tags
allow-6in4 216.66.xxx.xxx 41 Apply to all targets
并在/etc/network/interfaces
中配置隧道:
auto 6in4
iface 6in4 inet6 v4tunnel
address 2001:470:xxxx:xxxx::2
netmask 64
endpoint 216.66.xxx.xxx
gateway 2001:470:xxxx:xxxx::1
ttl 64
up ip link set mtu 1280 dev $IFACE
并且ping6 2001:470:xxxx:xxxx::1
并验证了 6in4 流量是出站的:
$ sudo tcpdump -pni eth0 host 216.66.xxx.xxx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:52:03.732841 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 1, length 64
22:52:04.740726 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 2, length 64
22:52:05.748690 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 3, length 64
我临时将端点更改为可以 运行 tcpdump 的地址,并确认数据包没有到达目的地。我什至自己尝试了 NAT,以防 GCE 没有对 6in4 数据包执行此操作,但运气不佳 (iptables -t nat -A POSTROUTING -p ipv6 -j SNAT --to-source 130.211.xxx.xxx
)。
有没有人获得了在 GCE VM 上工作的 6in4 隧道?是不是我遗漏了一些神奇的设置?
TL;DR:你不能。
Traffic that uses a protocol other than TCP, UDP, and ICMP is blocked, unless explicitly allowed through Protocol Forwarding.
Google Compute Engine supports protocol forwarding for the following
protocols:
AH: Specifies the IP Authentication Header protocol.
ESP: Specifies the IP Encapsulating Security Payload protocol.
SCTP: Specifies the Stream Control Transmission Protocol.
TCP: Specifies the Transmission Control Protocol.
UDP: Specifies the User Datagram Protocol.
因此,协议转发规则需要用于以下 IP protocol numbers 之一:
- 51 (AH)
- 50(ESP)
- 132 (SCTP)
- 6 (TCP)
- 17 (UDP)
Protocol Forwarding页面明确表示不支持其他协议号,如41(6in4):
Note: This is an exhaustive list of supported protocols. Only protocols that appear here are supported for protocol forwarding.
作为权宜之计,直到 Google 支持 native IPv6 on Google Compute Engine, I'd like to configure a 6in4 (IP protocol 41) tunnel。
我添加了防火墙规则以允许 VM 网络上的协议 41:
Name Source tag / IP range Allowed protocols / ports Target tags
allow-6in4 216.66.xxx.xxx 41 Apply to all targets
并在/etc/network/interfaces
中配置隧道:
auto 6in4
iface 6in4 inet6 v4tunnel
address 2001:470:xxxx:xxxx::2
netmask 64
endpoint 216.66.xxx.xxx
gateway 2001:470:xxxx:xxxx::1
ttl 64
up ip link set mtu 1280 dev $IFACE
并且ping6 2001:470:xxxx:xxxx::1
并验证了 6in4 流量是出站的:
$ sudo tcpdump -pni eth0 host 216.66.xxx.xxx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
22:52:03.732841 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 1, length 64
22:52:04.740726 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 2, length 64
22:52:05.748690 IP 10.240.xxx.xxx > 216.66.xxx.xxx: IP6 2001:470:xxxx:xxxx::2 > 2001:470:xxxx:xxxx::1: ICMP6, echo request, seq 3, length 64
我临时将端点更改为可以 运行 tcpdump 的地址,并确认数据包没有到达目的地。我什至自己尝试了 NAT,以防 GCE 没有对 6in4 数据包执行此操作,但运气不佳 (iptables -t nat -A POSTROUTING -p ipv6 -j SNAT --to-source 130.211.xxx.xxx
)。
有没有人获得了在 GCE VM 上工作的 6in4 隧道?是不是我遗漏了一些神奇的设置?
TL;DR:你不能。
Traffic that uses a protocol other than TCP, UDP, and ICMP is blocked, unless explicitly allowed through Protocol Forwarding.
Google Compute Engine supports protocol forwarding for the following protocols:
AH: Specifies the IP Authentication Header protocol.
ESP: Specifies the IP Encapsulating Security Payload protocol.
SCTP: Specifies the Stream Control Transmission Protocol.
TCP: Specifies the Transmission Control Protocol.
UDP: Specifies the User Datagram Protocol.
因此,协议转发规则需要用于以下 IP protocol numbers 之一:
- 51 (AH)
- 50(ESP)
- 132 (SCTP)
- 6 (TCP)
- 17 (UDP)
Protocol Forwarding页面明确表示不支持其他协议号,如41(6in4):
Note: This is an exhaustive list of supported protocols. Only protocols that appear here are supported for protocol forwarding.